Krebs on Security

In-depth security news and investigation

Posts Tagged: Mike Reavey

Microsoft said today it will pay up to $100,000 to security researchers who find and report novel methods for bypassing the security built into the latest version of the company’s flagship operating system. Researchers who go the extra mile and can also demonstrate a way to block the new attack method they’ve reported can earn an extra $50,000.

The bug bounty program is a remarkable shift for a company that has for the most part eschewed paying researchers for finding security vulnerabilities in its products. But unlike tech giants like Facebook, Google, Mozilla and Twitter — which have for some time now offered bounties ranging from a few hundred to several thousand dollars to researchers who report bugs in their products or Web properties — Microsoft is reserving its reward money for research on products that are still in beta.

The reward program — which officially launches June 26, 2013 — will pay up to $100,000 USD for “truly novel exploitation techniques” against protections built into the latest version of Windows — Windows 8.1 Preview. Additionally, Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying mitigation bypass submission,” the company said in a blog post today.

These two offers are open-ended, but for just 30 days beginning June 26, Microsoft is offering a separate bounty of up to $11,000 for critical flaws in Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview).

Microsoft has issued an emergency security update to block an avenue of attack first seen in “Flame,” a newly-discovered, sophisticated malware strain that experts believe was designed to steal data specifically from computers in Iran and the Middle East.

According to Microsoft, Flame tries to blend in with legitimate Microsoft applications by cloaking itself with an older cryptography algorithm that Microsoft used to digitally sign programs.

“Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft,” the company said in a blog posting today.

Mike Reavey, senior director for the Microsoft Security Response Center, said Microsoft isn’t so concerned about Flame, which is now well detected (finally) by antivirus programs, and appears to have spread to a very small number of select systems. Rather, the company is worried that other attackers and malware might leverage the same method to aid in phishing attacks and other schemes that impersonate Microsoft to gain user trust.

The update released this week (KB2718704) blocks software signed by these Terminal Server License Service certificates. Updates are available for virtually all supported versions of Microsoft Windows. The patch is currently being pushed out through Windows Update and Automatic Update.

Microsoft confirmed today that the recent spate of Windows XPcrashes and blue-screens experienced by people who installed this month’s batch of security updates were found mainly on systems that were already infected with a rootkit, a tool designed to hide malware infestations on host computers.

The folks at Redmond initially suspected rootkits may have played a part in the interminable reboot loops that many Windows users suffered from following February’s Patch Tuesday, but the company also said that it couldn’t rule out the possibility that third-party hardware and software conflicts might have also been to blame. Today, Microsoft rejected the latter possibility, and said it had concluded that the reboot occurs because the system is infected with malware, specifically the Alureon Rootkit.